cmrigney
commented
7 years ago Thanks for the PR! It all looks good except could you make the max connections a configurable setting?
Closed ddrinka closed 6 years ago
cmrigney
commented
7 years ago Thanks for the PR! It all looks good except could you make the max connections a configurable setting?
ddrinka
commented
7 years ago I'll work on this this evening. Thanks again for pulling!
cmrigney
commented
6 years ago Hey @ddrinka, any progress on making that setting configurable?
ddrinka
commented
6 years ago I abandoned this feature because it was impacting normal users too much. Instead, a Fail2Ban implementation should be created for node-sftp-s3. After n unsuccessful logins, future login attempts should be barred for a set amount of time. I haven't written that code yet, as we were able to restrict our firewall sufficiently to avoid the bad actors, rather than having to deal with additional code changes.
This PR is admittedly a bit of a hack right now, but it's what I needed on my side. Let me know if there's interest and I can clean it up and make things configurable.
Running node-sftp-s3 on AWS, I was receiving 15 connection attempts per second from a bot trying to brute-force an SSH password. Since only public-key authentication is supported, that was never going to happen, but he quickly filled up my disks with failure logs.
This PR adds a 5 second delay before any rejection is reported, and limits the total number of connections to the server to 5.
Obviously exponential backoff, IP banning, etc., are better approaches, but this will make an attackers ability to chug through a password list (uselessly) 75 times slower.